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Foreword 


The digital revolution is transforming the traditional ways of doing business, necessitating 
realignment of profession to leverage the multipliers of digital technology - enhanced efficiency, 
scale and speed, effectiveness, agility and giving access to newer markets. In view of the rapid 
technological changes, it is imperative for Information System Auditors to adapt, be innovative in 
aiding organizations to improve its control environment and strengthen governance of IT risks. 
Adoption of emerging technologies will help them to assimilate vast amount of data and provide 
value added analysis in the form of data analysis and business intelligence. Chartered Accountants 
possess unique blend of systems and process understanding and expertise in controls and 
governance, thereby best suited to be the perfect Information Systems Auditor. 


The Institute of Chartered Accountants of India (ICAI), through its Digital Accounting and 
Assurance Board (DAAB), is continuously monitoring technological developments and taking 
initiatives to disseminate updated knowledge amongst our members and other stakeholders. In this 
direction, it is heartening to note that the DAAB is bringing out next version of “Educational 
Material” for Post Qualification Course on Information Systems Audit. This updated and revised 
Material combines technology, information assurance and information management expertise that 
enable Chartered Accountants to be an advisor and handling assurance assignments. 


In this updated course curriculum various aspects of emerging technologies like, Blockchain, 
Robotics Process Automation, etc., have also been introduced to keep members fully abreast. With 
focus on increased practical aspects, case studies and lab manuals at appropriate places this 
material is a great learning guide for members aspiring to be Information Systems Auditor. 


| compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and other 
members of the Digital Accounting and Assurance Board for generation next material in digital era 
by taking up this timely initiative. 


| am confident that our members would take benefit of these updated modules of post qualification 
course on Information Systems Audit, so as to render their professional responsibility as 
Information System Auditor more efficiently and highest standards to achieve global recognition. 


CA. Atul Kumar Gupta 
President, ICAI 


Place: New Delhi 
Date: April 12, 2020 


Preface 


Evolution of digital economy and ever-changing dynamic ecosystem presents significant 
challenges, including new competition, new business and service delivery models, unprecedented 
transparency, privacy concerns and cyber threats. With a goal to keep members abreast of impact 
of emerging technologies, Digital Accounting and Assurance Board has come out with the updated 
Post Qualification Course on Information Systems Audit Modules to equip members with 
specialised body of knowledge and skill sets so that they become Information Systems Auditors 
(ISAs) who are technologically adept and are able to utilize and leverage technology to provide 
reasonable assurance that an organization safeguards it data processing assets, maintains data 
integrity and achieves system effectiveness and efficiency. This updated syllabus facilitates high 
level understanding about the role and competence of an IS Auditor to analyse, review, evaluate 
and provide recommendations on identified control weaknesses in diverse areas of information 
systems deployment. 


Revised Modules of Post Qualification Course on Information Systems Audit has specific objective, 
i.e., “To provide relevant practical knowledge and develop skills for planning and performing 
various types of assurance or consulting assignments in the areas of Governance, Risk 
management, Security, Controls and Compliance of Information Systems.” The core of DISA 3.0 
lies in inculcating competence to add to service delivery of the members. The updated course 
would help the members to apply appropriate strategy, approach, methodology and techniques for 
auditing information system and perform IS Assurance and consulting assignments by using 
relevant best practices, IS Audit standards, frameworks, guidelines and procedures. 


The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies and 
lab manuals, project work in addition to class room lectures. This updated background material 
also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO CAAT software, 
useful checklists and sample audit reports. New Module on “Emerging Technology and Audit” has 
been added which covers Information System Assurance and Data Analytics, Assurance in Block 
chain Ecosystem, and Embracing Robotic Process Automation in Assurance Services. In addition 
to this Artificial Intelligence and Internet of Things (loT) has also been inducted in the new 
modules. 


We would like to take this opportunity to place on record our deep appreciation for the efforts put in 
by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules, viz., CA 
Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, CA Pranay 
Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh Maheshwari, CA 
Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also appropriate to express our 
thanks to all the ISA faculties for giving their inputs/ suggestions for the implementation of DISA 
3.0. 


We would like to express gratitude to CA. Atul Kumar Gupta, President, ICAI, and CA. Nihar 
Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to the 
initiatives of the Board. We would also like to place on record our gratitude for all the Board 
members, co-opted members and special invitees for providing their valuable guidance and 
support in this initiative of the Board. We also wish to express my sincere appreciation for CA. Amit 
Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in finalization of 
the updated Modules. 


We are sure that these updated Modules on Post Qualification Course on Information Systems 
Audit would be of immense help to the members and enable them to enhance service delivery not 
only in compliance, consulting and assurance of IT services, but also provide new professional 
avenues in the areas of IT Governance, Cyber Security, Information System Control and 
assurance services. 


CA. Manu Agrawal CA. Dayaniwas Sharma 
Chairman Vice-Chairman 
Digital Accounting and Assurance Board Digital Accounting and Assurance Board 
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Learning Objectives: 


e Understand concepts of the following Emerging Technologies and the evolving 
landscape 


fo) Artificial Intelligence, Blockchain, Cloud Computing, Data Analytics, Internet of 
Things and Robotic Process Automation 


e Understand the Impact on the Profession 

e Understand the Risks in Emerging Technologies 

e Evaluate the approach of Governance and Controls in these Technologies 
° Understand the inter-relationship with these emerging technologies. 


e Understand Role of Professionals 


6.1 Artificial Intelligence 
6.1.1 Meaning 


Artificial intelligence (Al) is an advanced computer system that can simulate human 
capabilities, based on predetermined set of rules. Some of the activities computers with 
artificial intelligence are designed for include: 


e Speech recognition 
° Learning 

e Planning 

° Problem solving 
Machine Learning 


It refers to the use of computing resources that have the ability to learn, acquire and apply 
knowledge and skills. These cognitive systems have the potential to learn from business 
related interactions and deliver evidence-based responses to transform how organizations 


think, act and operate. 
TRADITIONAL 


COMPUTER 
— a — 
=—— 


ARTIFICIAL INTELLIGENCE 


DATA COMPUTER 
—— 
oi 


Fig. 6.1.1 Comparison between Traditional Systems and Al based systems 
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Common Terminologies used in Al 


Al works by combining large amounts of data with fast, iterative processing and intelligent 
algorithms, allowing the software to learn automatically from patterns or features in the data. 
Al is a broad field of study that includes many theories, methods and technologies, as well as 
the following major subfields: 


Machine learning automates analytical model building. It uses methods from neural 
networks, statistics, operations research and physics to find hidden insights in data 
without explicitly being programmed for where to look or what to conclude. 


A neural network is a type of machine learning that is made up of interconnected units 
(like neurons) that processes information by responding to inputs, relaying information 
between each unit. The process requires multiple passes at the data to find connections 
and derive meaning from the raw data. 


Deep learning uses huge neural networks with many layers of processing units, taking 
advantage of advances in computing power and improved training techniques to learn 
complex patterns in large amounts of data. Common applications include image and 
speech recognition. 


Cognitive computing is a subfield of Al that strives for a natural, human-like 
interaction with machines. Using Al and cognitive computing, the ultimate goal is for a 
machine to simulate human processes through the ability to interpret images and 
speech — and then speak coherently in response. 


Computer vision relies on pattern recognition and deep learning to recognize what's in 
a picture or video. When machines can process, analyze and understand images, they 
can capture images or videos in real time and interpret their surroundings. 


Natural language processing (NLP) is the ability of computers to analyze, understand 
and generate human language, including speech. The next stage of NLP is natural 
language interaction, which allows humans to communicate with computers using 
normal, everyday language to perform tasks. 


Emerging Technologies 


deep learnin . - 
machine learnin 


translation 
= : 5 natural language 
classification & clusterin angUeg 
rocessing (NLP 


information extraction 


speech to text cea 
speech Artificial Intelligence 
text to speech (Al) 


expert systems 


planning, scheduling & 
optimization 


Required 


image recognition ag 
: oe vision 
machine vision 


Fig: 6.1.2 Al Streams 


Why Al is important? 


Al automates repetitive learning and discovery through data. Al performs frequent, high- 
volume, computerized tasks reliably and without fatigue. For this type of automation, 
human inquiry is still essential to set up the system and ask the right questions. 


Al adds intelligence to existing products. In most cases, Al will not be sold as an 
individual application. Rather, products you already use will be improved with Al 
capabilities, much like Siri, which was added as a feature to a new generation of Apple 
products. 


Al adapts through progressive learning algorithms to let the data do the programming. 
Al finds structure and regularities in data so that the algorithm acquires a skill. The 
algorithm becomes a classifier or a predictor. Back propagation is an Al technique that 
allows the model to adjust, through training and added data. 


Al analyzes more and deeper data using neural networks that have many hidden layers. 
Al has changed with incredible computer power and big data. You need lots of data to 
train deep learning models because they learn directly from the data. The more data 
you can feed them, the more accurate they become. 


Al achieves incredible accuracy through deep neural networks - which was previously 
impossible. For example, your interactions with Alexa, Google Search and Google 
Photos are all based on deep learning and they keep getting more accurate, the more 
we use them. 


Al gets the most out of data. When algorithms are self-learning, the data itself can 
become intellectual property. Since the role of the data is now more important than ever 
before, it can create a competitive advantage. 
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Types of Al 


Artificial Intelligence can be divided in various types which are based on capabilities and 
based on functionally of Al. 


Al: Based on Capabilities 
1. Weak Al or Narrow AI: 


Narrow Al is a type of Al, which is able to perform a dedicated task with 
intelligence. The most common and currently available Al is Narrow Al in the 
world of Artificial Intelligence. 


Narrow Al cannot perform beyond its field or limitations, as it is only trained for 
one specific task. Hence it is also termed as weak Al. Narrow Al can fail in 
unpredictable ways if it goes beyond its limits. 


Some Examples of Narrow Al are playing chess, purchasing suggestions on e- 
commerce site, self-driving cars, speech recognition, and image recognition. 


2. General Al: 


General Al is a type of intelligence, which could perform any intellectual task with 
efficiency like a human. 


The idea behind the general Al to make such a system that could be smarter and 
think like a human. 


Currently, there is no such system exist which could come under general Al and 
can perform any task as perfect as a human. 


3. Super Al: 


Super Al is a level of Intelligence of Systems at which machines could surpass 
human intelligence and can perform any task better than human with cognitive 
properties. It is an outcome of general Al. 


Some key characteristics of strong Al include capability include the ability to 
think, to reason, solve the puzzle, make judgments, plan, learn, and 
communicate by its own. 


Super Al is still a hypothetical concept of Artificial Intelligence. 


Al: Based on functionality 


1. Reactive Machines 


Purely reactive machines are the most basic types of Artificial Intelligence 
systems. 
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e Such Al systems do not store information or past experiences for future actions. 


e These machines only focus on current scenarios and react as per possible best 


action. 
2. Limited Memory 

° Limited memory machines can store past experiences or some data for a short 
period of time. 

e These machines can use stored data for a limited time period only. 

° Self-driving cars are one of the best examples of Limited Memory systems. 
These cars can store recent speed of nearby cars, the distance of other cars, 
speed limit, and other information to navigate the road. 

3. Theory of Mind 

e Theory of Mind Al should understand the human emotions, people, beliefs, and 
be able to interact socially like humans. 

° This type of Al machines is still not developed, but researchers are making lots of 
efforts and improvement for developing such Al machines. 

4. Self-Awareness 

e Self-awareness Al is the future of Artificial Intelligence. These machines will be 
super intelligent, and will have their own consciousness, sentiments, and self- 
awareness. 

° These machines will be smarter than human mind. 

e Self-Awareness Al does not exist in reality still and it is a hypothetical concept. 

Al Platforms 


The following are a few of the Al Platforms 


IBM — Watson Analytics 

Google — Deep Mind - Tensor Flow 
Microsoft - Cognitive Services 
Amazon — AWS Al Services 


Facebook — FB Learner Flow 


Al and Speech Recognition 


Speech recognition is technology that can recognize spoken words, which can then be 
converted to text. A subset of speech recognition is voice recognition, which is the technology 
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for identifying a person based on their voice. Speech recognition has become increasingly 
embedded in our everyday lives with voice-driven applications like Amazon’s Alexa, Apple’s 
Siri, Microsoft's Cortana, or the many voice-responsive features of Google. 


The technology to support voice-powered interfaces is growing powerful by the day. With the 
advancements in artificial intelligence and ample amount of speech data that can be easily 
mined for machine learning purposes, it would not be surprising if it becomes the next 
dominant user interface. 


Problem Types & Analytic Techniques used in Al 


TYPE DESCRIPTION EXAMPLE TECHNIQUE 
Classification Categorize new inputs | Identifying whether an | CNNs, Logistic 
as belonging to one of a | image contains a | Regression 
set of categories specific type of object 
Dog or Cat? 
Continuous Estimate the next | Prediction particularly | Feed forward 
Estimation numeric value in a/J when it is applied to | Neural Networks, 
sequence time series data E.g. | Linear Regression 
forecasting the sales 
for a product, based 
on a set of input data 
such as previous sales 
figures, consumer 
sentiment, and 
weather 
Clustering Individual data instances | Creating a set of | K-means, 
have a set of common or | consumer segments Affinity propagation 
similar characteristics based on data about 
individual consumers, 
including 
demographics, 
preferences, and buyer 
behavior 
Anomaly Determine whether | Fraud detection Support Vector 
Detection specific inputs are out of Machines, K- 


Emerging Technologies 


TYPE DESCRIPTION EXAMPLE TECHNIQUE 
the ordinary Money Laundering Nearest Neighbors, 
Neural Networks 
Recommendations | Systems that provide | Suggest the product to | Collaborative 
recommendations, buy for a customer, | filtering 


based on a set of 
training data 


based on the buying 
patterns of — similar 
individuals, and the 
observed behavior of 
the specific person 


E.g. Netflix, Amazon 


Advantages of Al 


1. Error Reduction: Artificial intelligence helps us in reducing the error and the chance of 
reaching accuracy with a greater degree of precision. It is applied in various studies such as 
exploration of space. 


2. Difficult Exploration: Artificial intelligence and the science of robotics can be put to 
use in mining and other fuel exploration processes. These complex machines can also be 
used for exploring the ocean floor and hence overcome the human limitations. 


3. Daily Application: Computed methods for automated reasoning, learning and 
perception have become a common phenomenon in our everyday lives. We are also hitting 
the road for long drives and trips with the help of GPS. The smartphone is an apt and 
everyday example of how we use artificial intelligence. When we take a picture, the artificial 
intelligence algorithm identifies and detects the person’s face and tags the individuals when 
we are posting our photographs on social media sites. 


4. Digital Assistants: Highly advanced organizations use avatars that are replicas or 
digital assistants that can actually interact with the users, thus saving the need for human 
resources. Emotions are associated with moods that can cloud judgment and affect human 
efficiency. This is completely ruled out for machine intelligence. 


5. Repetitive Jobs: Repetitive jobs, which are monotonous in nature, can be carried out 
with the help of machine intelligence. Machines think faster than humans and can be put to 
multi-tasking. Machine intelligence can be employed to carry out dangerous tasks. Their 
parameters, unlike humans, can be adjusted. Their speed and time are calculation-based 
parameters only. 
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6. No Breaks: Machines, unlike humans, do not require frequent breaks and 
refreshments. They are programmed for long hours and can continuously perform without 
getting bored or distracted or even tired. 


Disadvantages of Al 


1. High Cost: Creation of artificial intelligence requires huge costs, as they are very 
complex machines. Their repair and maintenance also require huge costs. They have software 
programs, which need frequent up gradation to cater to the needs of the changing 
environment and the need for the machines to be smarter by the day. 


2. No Replicating Humans: Intelligence is believed to be a gift of nature. Machines do 
not have any emotions and moral values. They perform what is programmed and cannot make 
the judgment of right or wrong. Even cannot take decisions if they encounter a situation 
unfamiliar to them. They either perform incorrectly or breakdown in such situations. 


3. No Improvement with Experience: Unlike humans, artificial intelligence cannot be 
improved with experience. With time, it can lead to wear and tear. It stores a lot of data but the 
way it can be accessed and used is very different from human intelligence. Machines are 
unable to alter their responses to changing environments. We are constantly bombarded by 
the question of whether it is really exciting to replace humans with machines. 


4. —_No Original Creativity: These are not the forte of artificial intelligence. While they can 
help you design and create, they are no match to the power of thinking that the human brain 
has or even the originality of a creative mind. Human beings are highly sensitive and 
emotional intellectuals. Their thoughts are guided by the feelings that completely lacks in 
machines. The inherent intuitive abilities of the human brain cannot be replicated. 


5. Unemployment: Replacement of humans with machines can lead to large-scale 
unemployment. Humans can unnecessarily be highly dependent on the machines if the use of 
artificial intelligence becomes rampant. They will lose their creative power and will become 
lazy. Also, if humans start thinking in a destructive way, they can create havoc with these 
machines. 


6.1.2 Examples in Finance 


1.‘ Pattern Recognition in Banking: A number of variables have to be considered in 
order to establish whether a transaction or set of transactions is suspicious 


e E.g. customer’s salary account in a bank 
° Multiple credits in account other than salary credit 


e Sizeable increase in Cash to Non-Cash Transaction Ratio - large cash deposits and 
cash withdrawals 
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° Many transactions with a few related accounts 

° Burst in Deposits - Number of Transactions 

e Burst in Withdrawals - Number of Transactions 

e Burst in Deposits - Amount 

° Burst in Withdrawals - Amount 

e Unusual applications for Demand Drafts against cash. 

° Transactions that are too high or low in value in relation to customer's profile 


e Computers will learn the past behavioural pattern of the customer based on historical 
transactions and may identify unusual activities 


2. _ Artificial Intelligence is widely used in banking apps as it provides a faster, more 
accurate assessment of a potential borrower, at less cost, and accounts for a wider variety of 
factors, which leads to a better-informed, data-backed decision. Credit scoring provided by Al 
is based on more complex and sophisticated rules compared to those used in traditional credit 
scoring systems. It helps lenders distinguish between high default risks applicants and those 
who are credit-worthy but lack an extensive credit history. 


6.1.3 Use Cases 


1. Al in finance: Al in personal finance applications, such as Mint or Turbo Tax, is 
disrupting financial institutions. These applications collect personal data and provide financial 
advice. Other programs, such as IBM Watson, have been applied to the process of buying a 
home. Today, software performs much of the trading on Wall Street. 


2. JPMorgan Chase: Launched a Contract Intelligence (COIN) platform that leverages 
Natural Language Processing, one of the machine learning techniques. The solution 
processes legal documents and extracts essential data from them. Manual review of 12,000 
annual commercial credit agreements would typically take up around 360,000 man-hours. 
However, machine learning may allow reviewing the same number of contracts in a just a few 
hours. 


3. Wells Fargo: Uses an Al-driven chatbot through the Facebook Messenger platform to 
communicate with users and provide assistance with passwords and accounts. 


4. Plantation: Recently Al was used in accurate drone-based planting in mass-scale using 
seedpods at a much lower cost for the purpose of re-greening the planet. 


6.1.4 Impact on Audit 


Auditor can be engaged through critical and distinct activities related to artificial intelligence: 
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e For all organizations, audit should include Al in its risk assessment and also consider 
using Alin its risk-based audit plan. 


e For organizations exploring Al, audit should be actively involved in Al projects from the 
beginning, providing advice and insight, contributing to successful implementation. To 
avoid impairment to both independence and objectivity, auditor should not be 
responsible for implementation of Al processes, policies and procedures. 


° Auditor should provide assurance on management of risks related to the reliability of the 
underlying algorithms and the data on which the algorithms are based. 


° Al must be dealt with, disciplined methods to evaluate and improve the effectiveness of 
risk management, control and governance process. 


° Fraud Investigator can use Artificial Intelligence in detecting the fraud. While statistical 
& data analysis is used to detect fraud passively, artificial intelligence detects fraud 
actively and directly besides improving speed of processing. 


It is to be noted that Operational managers should own and manage Al risks on a day-to-day 
basis and the auditors should assess operational-level Al policies and procedures, verifying 
that control objectives are adequate and working as designed. Further, Compliance, ethics, 
risk management, and information privacy and security are some other requirements that 
likely to draw attention towards some aspect of Al risks. 


Scenarios wherein Artificial intelligence techniques can be used for fraud management: 


1. Data mining - is the process of discovering the patterns in large data sets involving 
methods at the intersection of machine learning, statistics and database systems. So, data 
mining is to classify, cluster and segment the data and also automatically find associations 
and rules in the data, which may point towards interesting patterns of fraud. 


2. Expert system — knowledge based expert system is used to develop software that 
store all the human expertise and then using stored human intelligence to detect fraud. 


3. Machine learning and pattern recognition — machine learning is closely related to 
computational statistics, which also focuses on prediction making through the use of 
information technologies. Machine learning can also be unsupervised and be used to learn 
and establish baseline behavioural profiles for various entities and further used to find 
meaningful anomalies related to fraud or any other transactions. 


4. Neural network — fraud detection system is totally based on the human brain working 
principal. Neural network technology has made a computer system capable of reasoning. The 
inherent nature of neural networks includes the ability to learn and ability to capture and 
represent complex input/output relationship. 
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6.1.5 Risks and Challenges 
Risks of Al 


1. ‘Al is Unsustainable: Intelligent machines have characteristically high computing 
powers contributed by an array of several processers. These computer chips have rare earth 
materials like Selenium as a major constituent. The increased mining of these materials is 
irreversibly damaging our environment at a rapid pace. 


2. Lesser Jobs: There is no doubt that machines do routine and repeatable tasks much 
better than humans. Many businesses would prefer machines instead of humans to increase 
their profitability, thus reducing the jobs that are available for the human workforce. 


3. A threat to Humanity: He has also stated publicly that Al is the biggest threat to 
human civilization in the future. This means that the dystopian future that sci-fi movies show is 
not impossible. The biggest risk associated with Al is that machines would gain sentience and 
turn against humans in case they go rogue. 


Challenges for Al 


1. Computing is not that Advanced: Machine Learning and deep learning techniques 
that seem most beneficial require a series of calculations to make very quickly (in 
microseconds or nanoseconds or faster than that). 


2. | Fewer people support: Al implementation does not have enough use cases in the 
market. And without it, no organization would be interested to invest money in Al-based 
projects. It clearly means that there have been comparatively few organizations interested in 
putting money into the development of Al-based products. 


3. Creating Trust: People don’t feel comfortable when they don’t understand how the 
decision was made. For instance, banks use simple algorithms that are based on linear math 
and it is easy to explain the algorithm and how they arrived from input to output. Hence, 
somewhere Al has not been able to create trust among people. And the only solution that 
seems to this problem is to let people understand that this technology really works. 


4. One Track Minds: A big problem that should be taken into account is that most of the 
Al implementations are highly specialized. And it is built just to perform a single task and keep 
learning to become better and better at it. This means that Als need to be trained just to make 
sure that their solutions do not cause other issues. Specifically, all those areas that are 
beyond those that designed to consider. 


5. Probability: Organizations working on Al-based products cannot demonstrate clearly 
about their vision and what they have achieved with the help of Al techniques. Moreover, such 
kind of confusion has surrounded the minds of people. And ultimately, a probability that is the 
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mathematical uncertainty behind Al predictions still remains as an unclear region for 
organizations. 


6. Data Privacy and security: Most of the Al applications are based on massive volumes 
of data to learn and make intelligent decisions. Machine learning systems depend on the data, 
which is often sensitive and personal in nature. Due to this systematic learning, these ML 
systems can become prone to data breach and identity theft. European Union has 
implemented the General Data Protection Regulation (GDPR) that makes sure the complete 
protection of personal data. Likewise, the India has introduced “The Personal Data Protection 
Bill” 


7. Algorithm bias: A big problem with Al systems is that their level of goodness or 
badness depends on the much data they are trained on. Bad data is often associated with, 
ethnic, communal, gender or racial biases. Proprietary algorithms are used to find out 
information like who granted bail, whose loan is sanctioned etc. If the bias hidden in the 
algorithms, which take crucial decisions, goes unrecognized, could lead to unethical and 
unfair results. 


8. Data Scarcity: It is the fact that organizations have access to more data in the present 
time than ever before. However, datasets that are applicable to Al applications to learn are 
really rare. However, the most powerful Al machines are those that are trained on supervised 
learning. 


6.1.6 Governance and Controls 


Al governance refers to the structure, process and procedures implemented to direct, manage 
and monitor the Al activities of the organization in pursuit of achieving the organization’s 
objectives. The level of formality and structure for an organization’s Al governance should be 
vary based on the specific characteristics of the organization. Regardless of the specific 
approach, however, Al governance establishes accountability and oversight, helps to ensure 
that those responsible have the necessary skills and expertise to effectively monitor and helps 
to ensure the organizations values are reflected in its Al activities. Al activities must result in 
decisions and actions that are in line with the ethical, social, legal responsibilities of the 
organization. 


6.1.7 Professional Opportunities 


° At the same time, emerging technologies are changing the ways of business. This 
provides CAs with the opportunity to automate and de-skill time-consuming and 
repetitive work and focus on higher value work, so that they can consolidate their role 
as advisers on finance and business. By being informed about new technologies as 
they evolve and assessing their implications CAs can minimize the burdens and 
maximize the benefits to organizations. 
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CAs possess the domain knowledge and experience to create the relevant learning 
algorithms for identifying patterns in Finance and Audit 


CAs should work closely with Al programmers to convert their functional ideas into 
reality. These concepts and thought process can be extended to various other business 
sectors beyond Finance Audit. 


The future may see most of the business transactions flowing through neural networks, 
which will learn patterns of behaviour and send out real time alerts of any suspicious 
transactions for investigation. 


The profession can exploit technology and potentially change the scope of what it 
means to be aCA. The CFO of the future will need to know as much about technology 
as they do about financial management. CAs must embrace technology to be relevant 
in the profession and to ensure sustainability and growth in this digital era. 
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6.2 Blockchain 
6.2.1 Meaning 


Block chain refers to the transparent, thrustless, and publicly accessible ledger that allows us 
to securely transfer the ownership of units of value using public key encryption and proof of 
work methods. 


The technology uses decentralized consensus to maintain the network, which means it is not 
centrally controlled by a bank, corporation, or government. In fact, the larger the network 
grows and becomes increasingly decentralized, the more secure it becomes. 


At its most basic level, blockchain is literally just a chain of blocks, but not in the traditional 
sense of those words. When we say the words “block” and “chain” in this context, we are 
actually talking about digital information (the “block”) stored in a public database (the “chain’). 


Hash 6B01> « all Hash 3H40 


Previous Hash 0000 Previous Hash (1Z8F > Previous Hash ssh 6BOT ) 


Data-->hash-->hash Of The Previous Block 
Fig. 6.2.1 Blockchain 
Evolution of Blockchain 


In the year 2008, an individual or group writing under the name of Satoshi Nakamoto 
published a paper entitled “Bitcoin: A Peer-To-Peer Electronic Cash System”. This paper 
described a peer-to-peer version of the electronic cash that would allow online payments to be 
sent directly from one party to another without going through a financial institution. Bitcoin was 
the first realization of this concept. Now word cryptocurrencies are the label that is used to 
describe all networks and mediums of exchange that uses cryptography to secure 
transactions-as against those systems where the transactions are channelled through a 
centralized trusted entity. A few months later, an open source program implementing the new 
protocol was released that began with the Genesis block of 50 coins. Anyone can install this 
open source program and become part of the bitcoin peer-to-peer network. It has grown in 
popularity since then. 
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Technologies That Make Blockchain Possible 


1. _—_- Peer-to-peer network (distributed ledger)—Today, creating and maintaining ledgers 
requires the use of some third party (i.e., title office, bank, court, voting records, debit cards, 
checks, contracts). The ledger’s rules can be somewhat vague and require interpretation. 
Interpretation can cause inconsistency. It is important to trust the third party because the 
ledger cannot be seen by the enterprise. Such ledgers are centralized and have an authority 
of their own. In a decentralized ledger, each node is connected to all other nodes and is not 
reliant on any central authority. The ledger is “synced” to all nodes and becomes public. 
Nodes trust adjacent nodes, but verify transactions before recording them (trust, but verify). 
This is distributed ledger architecture and is a key component of a blockchain. In distributed 
ledger architecture, transactions are read (validated) and written (appended). Peer-to-peer 
(P2P) networks are easy to manage, but slow and susceptible to attack (such as a denial-of- 
service [DoS] attack). The use of a P2P network is a critical component of blockchain. A P2P 
network has no central hierarchy with all nodes maintaining a copy of the entire ledger at all 
times. 


2. Public key infrastructure (blockchain addresses)—How does one trust “unknown” 
parties? Cryptography (an algorithm) is used to create trust in the transaction between 
untrusted participants. Specifically, public key infrastructure (PKI) is a component of the 
blockchain. The technology uses asymmetric encryption (compared to symmetric 
cryptography, which uses the same secret key to encrypt and decrypt data) to identify parties 
(via digital signature) along with the integrity of the transactions (message digest). With PKI, a 
pair of keys (public and private) is generated. The public key is freely distributed. The owner 
of the pair keeps the private key. Anything can be encrypted with the public key but can only 
be decrypted with the private key. The private key of the sender can also be used to digitally 
sign the message. It is critical that the owner of the private key protect it so the corresponding 
public key can be used to verify the identity of the sender. If the private keys are 
compromised, the entire system is compromised. Users in the network (all the nodes) must 
acquire public keys. Parties create a private key to maintain their wallet and a public key to 
submit a transaction request to the network. Users can have an infinite number of wallets. 
Wallets can be online exchange, software based, in a secured drive or paper based. Public 
keys are hashed in multiple iterations to create user addresses called blockchain addresses, 
guaranteeing the anonymity of the parties. A different address is used for each transaction. 


3. Hash function (miner)—Hash functions are used throughout the entire blockchain 
process to guarantee records are not changed, ensuring the integrity of the entire system. A 
hash function takes an input of variable length and creates a fixed-length output known as a 
message digest. This is a one-way process, meaning that original input cannot be recreated 
from the message digest. This process allows one to check if the input was changed. If so, the 
process will produce a different output. 
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Advantages and Disadvantages of Block chain 

Pros 

. Improved accuracy by removing human involvement in verification 
° Cost reductions by eliminating third-party verification 

. Decentralization makes it harder to tamper with 

. Transactions are secure and efficient 


. Transparent technology 


° Significant technology cost associated with mining bitcoin 
° Low transactions per second 

. History of use in illicit activities 

° Susceptibility to being hacked. 

Principles of block chain 


1. _ Distributed Database: Each party on a block chain has access to the entire database 
and its complete history. No single party controls the data or the information. Every party can 
verify the records of its transaction partners directly, without an intermediary. 


2. Peer-to-Peer Transmission: Communication occurs directly between peers instead of 
through a central node. Each node stores and forwards information to all other nodes. 


3. Transparency: Every transaction and its associated value are visible to anyone with 
access to the system. Each node, or user, on a block chain has a unique 30-plus-character 
alphanumeric address that identifies it. Users can choose to remain anonymous or provide 
proof of their identity to others. Transactions occur between block chain addresses. 


4. Irreversibility of Records: Once a transaction is entered into the database and the 
accounts are updated, the records cannot be altered, because they are linked to every 
transaction record that came before them (hence the term “chain”). Various computational 
algorithms and approaches are deployed to ensure that the recording on the database is 
permanent, chronologically ordered, and available to all others on the network. 


5. Computational Logic: The digital nature of the ledger means that block chain 
transactions can be tied to computational logic and in essence programmed. So, users can set 
up algorithms and rules that automatically trigger transactions between nodes. 


6.2.2 Examples in Finance 


(a) Payments and reconciliations: Transactions can occur directly between two parties 
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on frictionless P2P basis. The blockchain technology’s application has the potential to reduce 
risk, transaction costs and to improve speed, efficiency and transparency. 


(b) Issuance, ownership and transfer of financial information: A blockchain-based 
securities market allows traders to buy or sell stocks directly on exchanges or directly to other 
market participants in a P2P manner without the intermediary’s services provided by a broker 
or clearing house. 


(c) Clearing and settlement latency: On the blockchain, the entire lifecycle of a trade, 
including its execution, clearing and settlement can occur at a trade level, lowering post-trade 
latency and reducing counterparty. 


6.2.3 Use Cases 


(a) Barclays placed themselves at the forefront of adoption by implementing the security 
and transparency aspects of blockchain technology into their transaction processes. 


It included the first trade documentation to be encrypted and managed on a blockchain 
network. The use of a decentralized ledger to store and send the documents saved the bank’s 
significant time and money on the transaction. 


(b) Through the use of blockchain technology, manufacturers can identify the original 
sources of goods, deliveries, and production activities all through a supply chain management 
process. This can give average consumers the ability to confirm the source of goods and 
items that they buy, which can go a long way toward pushing back on counterfeit items or 
misrepresented foodstuffs. There are a few notable projects that use blockchain technology 
for supply chain management transparency, such as Ambrosus, which targets the safety and 
origins of food products, and Vechain, a blockchain-based platform that allows both 
consumers and retailers to confirm the authenticity and quality of purchased products. 


(c) Another industry in which integrity and transparency provided by blockchain is important 
in the pharmaceutical industry. When dealing with medical prescriptions, drug records, patient 
treatment data, and the transportation of expensive medical equipment and other medicinal 
items that can spell life or death for a patient, transparency, accurate data, security, and trust 
are absolute musts. A blockchain provides all of this. DHL, a global logistics leader, is 
working together with Accenture, a global management and professional services company, to 
integrate blockchain technology with the pharmaceutical industry to improve serialization 
accuracy 


6.2.4 Impact on Audit 


° Blockchain technology offers an opportunity to streamline financial reporting and audit 
processes. Today, account reconciliations, trial balances, journal entries, sub-ledger 
extracts, and supporting spreadsheet files are provided to an auditor in a variety of 
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electronic and manual formats. Each audit begins with different information and 
schedules that require an auditor to invest significant time when planning an audit. 


In a blockchain, the auditor could have near real-time data access via read-only nodes 
on blockchains. This may allow an auditor to obtain information required for the audit in 
a consistent, recurring format. With blockchain-enabled digitization, auditors could 
deploy more automation, analytics and machine-learning capabilities such as 
automatically alerting relevant parties about unusual transactions on a near real-time 
basis. Supporting documentation, such as contracts, agreements, purchase orders, and 
invoices could be encrypted and securely stored or linked to a blockchain. By giving 
auditors access to unalterable audit evidence, the pace of financial reporting and 
auditing could be improved. 


While the audit process may become more continuous, auditors will still have to apply 
professional judgment when analysing accounting estimates and other judgments made 
by management in the preparation of financial statements. In addition, for areas that 
become automated, they will also need to evaluate and test internal controls over the 
data integrity of all sources of relevant financial information. 


At the same time, an auditor would also have newer roles in this ecosystem. Auditing 
Smart Contracts and Oracles, which are embedded into the blockchain, are new roles to 
take up. Checks such as interface testing, events, which trigger transactions into the 
blockchain, are areas where the auditors may have to focus. 


Another area could be audit of consortium blockchains, where as a “Service Auditor” the 
auditor can validate the system and set up, and give assurance to the participants on 
the conformity of controls in place. 


6.2.5 Risks and Challenges 


An organization’s risk management team should analyse, assess and design mitigation plans 
for risks expected to emerge from implementation of blockchain-based frameworks. The 
following are the most common risks noted: 


(a) 


Vendor Risks: Most organizations, looking to deploy blockchain-based applications, 
lack the required technical skills and expertise to design and deploy a blockchain-based 
system and implement smart contracts completely in-house, i.e. without reaching out for 
vendors of blockchain applications. The value of these applications is only as strong as 
the credibility of the vendors providing them. Given the fact that the Blockchain-as-a- 
Service (BaaS) market is still a developing market, a business should meticulously 
select a vendor that can perfectly sculpture applications that appropriately address the 
risks that are associated with the blockchain. 
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(b) 


(e) 


(f) 


(h) 


Credential Security: Even though the blockchain is known for its high-security levels, a 
blockchain-based system is only as secure as the system’s access point. When 
considering a public Blockchain-based system, any individual who has access to 
the private keyof agiven user, whichenables him/her to “sign” transactions on 
the public ledger, will effectively become that user, because most current systems do 
not provide multi-factor authentication. Also, loss of an account’s private keys can lead 
to complete loss of funds, or data, controlled by this account; this risk should be 
thoroughly assessed. 


Legal and Compliance: It is a new territory in all aspects without any legal or 
compliance precedents to follow, which poses a serious problem for manufacturers and 
services providers. This challenge alone will scare off many businesses from using 
blockchain technology. 


Data security and confidentiality: Not all data on a distributed ledger should be 
accessible and available to others. It is feasible that hackers may be able to obtain the 
keys to access the data on the disturbed ledger, considering the users having multiple 
point of access. 


Scalability issues: Relating to the size of blockchain ledger that might lead to 
centralization as it's grown over time and required some record management which is 
casting a shadow over the future of the blockchain technology. 


Interoperability between block chains: There are new blockchain networks showing 
up, which lead to new chains that offer different speeds, network processing, use- 
cases. Blockchain interoperability aims to improve information sharing across diverse 
blockchain networks. These cross-chain services improve blockchain interoperability 
and also make them more practical for daily usage 


Processing power and time: Required to perform encryption algorithms for all the 
objects involved in Blockchain -based ecosystem given the fact that ecosystems are 
very diverse and comprised of devices that have very different computing capabilities, 
and not all of them will be capable of running the same encryption algorithms at the 
desired speed. 


Storage will be a hurdle: Blockchain eliminates the need for a central server to store 
transactions and device IDs, but the ledger has to be stored on the nodes themselves, 
and the ledger will increase in size as time passes. That is beyond the capabilities of a 
wide range of smart devices such as sensors, which have very low storage capacity. 


6.2.6 Governance and Controls 


The following are critical points to be kept in mind while implementing / assessing a 
blockchain based solution: 
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Governance Framework: The enterprise has an adequate governance framework to 
provide oversight for blockchain technology. 


Management Oversight: Management oversight provides assurance that the 
enterprise’s strategic objectives are not adversely affected by risk related to blockchain 
technology (internal or external). 


Regulatory Risk: Regulatory risk has been identified and is appropriately mitigated (or 
accepted and monitored), to ensure that the enterprise’s strategic objectives are not 
adversely affected. 


Business Continuity: The enterprise’s business continuity plan incorporates elements 
that address the effective operation of blockchain technology. 


Vendor Management: Vendor contract administration and operational processes 
ensure ongoing alignment between the enterprise’s strategic objectives and blockchain 
solutions. 


Secure key distribution and management policies: Policies and processes around 
crypto keys and their distribution during block chain implementation helps to manage 
cryptography functions, key access control, key rotation methods and validations of 
crypto algorithms’ implementation. 


Secure APIs and Integrations: Third-party remittances, E-KYC and smart contracting 
applications are integrated with blockchain platform. APIs exposed to third parties 
should not reveal any sensitive data to adversaries. APIs and its integrations should 
handle authentications, payload security, and session management and design security 
risks. 


6.2.7 Professional Opportunities 


Even though the technology of Blockchain is evolving constantly, as Chartered Accountants, 
we can use our domain expertise in the following ways: 


1. 


Assist in evaluating the functional design: Blockchain is not a problem for every 
solution. It requires an eco-system and set of players to assist. As Chartered 
Accountants we could assist in analysing the business requirement and decide if the 
case is fit for blockchain platform. 


Evaluation of Proof of Concept: Before the solution is deployed a Prototype often 
known as Proof of Concept is prepared. Chartered Accountants could assist in 
evaluating / designing the Proof of Concept. 


Assessment of Risks in Implementation: Every new technology comes with some 
inherent risk. An assessment of the risks involved in implementation is critical. 
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Chartered Accountants may assist in assessment of risk before implementation of 
blockchain platform. 


Impact on Audit: Understanding the impact of blockchain on the accounting and audit 
profession is of paramount importance for Chartered Accountants. This also requires 
change in approach of audit and accounting. 


Audit of Smart Contracts and Oracle: Smart contracts and Oracles can be embedded 
in a blockchain to automate business processes. Contracting parties may want to 
engage an assurance provider to verify that smart contracts are implemented with the 
correct business logic. 
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6.3 Cloud Computing 
6.3.1 Meaning 


National Institute of Standards and Technology (NIST) defines cloud computing as: 


“Cloud computing is a model for enabling ubiquitous, convenient, on-demand, network access 
to a shared pool of configurable computing resources (e.g., networks, servers, storage, 
applications, and services) that can be rapidly provisioned and released with minimal 
management efforts or service provider interaction.” 


Cloud Computing means the use of computing resources as a service through networks, like 
internet. It is the use of various services, such as software development platforms, servers, 
storage, and software, over the different networks, often referred to as the "cloud." Ex: Google 
apps. 


It is a combination of hardware and software computing resources delivered as a network 
service. The location of physical server and devices is not known to end user. Service 
customers of cloud computing use “what they need on internet” and “pay only for what they 


” 


use. 


In simpler terms, cloud is a set of resources, such as, processors and memory, which are put 
in a big pool. As per the requirement, cloud assigns resources to the client, who then connects 
them over the network. Further, clouds are multi-tenant by nature, i.e., multiple different 
consumers share the same pool of resources but are isolated and segregated from each other 


Cloud computing has become a great solution for providing a flexible, on-demand, and 
dynamically scalable computing infrastructure for many applications. Cloud computing also 
presents a significant technology trend, and it is already obvious that it is reshaping 
information technology processes and the IT marketplace. For cloud computing to reach the 
full potential promised by the technology, it must offer solid information security. 


Features / Characteristics 
Following are essential characteristics of Cloud Computing as defined by NIST - 


(i) | Resource Pooling is the most fundamental characteristic of cloud computing. The 
provider abstracts resources and collects them into a pool, portions of which can be 
allocated to different consumers. 


(ii) | Cloud provides usage on-demand self-service, i.e., consumers manage their resources 
themselves, without having to talk to a human administrator. 


(iii) | All resources on cloud are available over a network and there is no direct physical 
access. 
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Rapid elasticity allows consumers to expand or contract the resources they use from 
the pool thereby enabling them to match resource consumption with demand. 


Measured service meters what is provided to ensure that consumers only use what they 
are allotted, and, if necessary, to charge them for it. 


Further, ISO/IEC 17788 lists six key characteristics, the rest of which are identical to the NIST 
characteristics. The only addition is multitenancy, which is distinct from resource pooling. 


Advantages of Cloud Computing 


Cost Efficiency 


) Most cost-efficient method to maintain and upgrade. More productivity is 
achieved with fewer systems and hence cost per unit of project 


Reduce spending on technology infrastructure 
fe) Minimal upfront spending and pay as you go 
Unlimited Storage 


) Storing information in the cloud gives us almost unlimited storage capacity with 
an option to scale 


Backup & Recovery 


fe) Backing it up and restoring the same is relatively much easier than storing the 
same on a physical device 


Automatic Software Integration 


fe) Software integration is usually something that occurs automatically and be 
customized with great ease. 


Easy Access to Information and Globalize the workforce 

fe) Access the information from anywhere 

Reduce Capital costs 

fe) No need to spend huge money on hardware, software etc. 
Quick Deployment 


fe) The entire system can be fully functional in a matter of a few minute depending 
upon technology 


Less Personnel training and minimize maintenance and licensing software 
fe) Fewer people to do more work 
Improved Flexibility and effective monitoring of projects 


fe) Quick changes possible 
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Dis-advantages of Cloud computing 


Internet Connectivity: Cloud Platforms require Internet Connectivity almost all the 
times and is difficult to operate under certain regions. If the Internet is lost, then access 
to data and applications are also lost. 


Technical Issues: This technology is always prone to outages and other technical 
issues. Even the best cloud service providers run into this kind of trouble, in spite of 
keeping up high standards of maintenance. 


Security in the Cloud: Surrendering all the company’s sensitive information to a third- 
party cloud service provider could potentially put the company to great risk. 


Prone to Attack: Storing information in the cloud could make the company vulnerable 
to external hack attacks and threats. Nothing on the Internet is completely secure and 
hence, there is always the lurking possibility of stealth of sensitive data. 


Availability: Depending on vendor, customers may face restrictions on availability of 
applications, OS etc. 


Interoperability: Ability of two or more applications to support a business need to work 
together is an issue as all applications may not reside with single cloud vendor or two 
vendors having different application may not co-operate. 


6.3.2 Cloud Computing Architecture, Environment and Service Model 


(a) 


Cloud Computing Deployment Models 


The Cloud 


Off Premise/Third Party 


On Premise/Internal 


Fig. 6.3.1 Cloud Deployment models 


24 


Emerging Technologies 


Private Cloud 


resides within the boundaries of an organization and is used exclusively for the 
organization’s benefits 


built primarily by IT departments within enterprises 
Optimize utilization of infrastructure resources 
can either be 


- private to the organization and managed by the single organization (On-Premise 
Private Cloud) or 


- can be managed by third party (Outsourced Private Cloud) 


Private Cloud - Characteristics 


Secure: 

- Deployed and managed by the organization itself 

- least probability of data being leaked out of the cloud. 

Central Control: 

- managed by the organization itself, 

- no need for the organization to rely on anybody other than operations. 
Weak Service Level Agreements (SLAs): 

- SLAs are agreements between the user and the service provider 


- Formal SLAs do not exist or are weak as it is between the organization and user 
of the same organization. 


- High availability and good service may or may not be available and is dependent 
upon SLAs. 


Advantages 

- Improve average server utilization 
- Reduces costs 

- Higher Security & Privacy of User 
- Higher automations possible 
Limitation 


- Invest in buying, building and managing the clouds independently 
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Private Organization 


a 
User 2 


Private Organization 


Fig. 6.3.2 Private Cloud 


Public Cloud 


can be used by the general public 
administrated by third parties or vendors over the Internet 
the services are offered on pay-per-use basis 


Business models like SaaS (Software-as-a-Service) and other service models are also 
provided 


Characteristics of Public Cloud 


Highly Scalable: 


) The resources in the public cloud are large in number and the service providers 
make sure that all requests are granted. 


Affordable: 

) Offered to the public on a pay-as-you-go basis; 
fe) User has to pay only for what he or she is using 
Less Secure: 


) Offered by a third party and they may have full control over the cloud, depending 
upon the service model. 


Highly Available: 


o Anybody from any part of the world can access the public cloud with proper 
permission. 
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e Stringent SLAs: 
) SLAs strictly and violations are not avoided 
e Advantages 
fe) widely used at affordable costs 
fe) deliver highly scalable and reliable applications 
) no need for establishing infrastructure for setting up and maintaining the cloud. 
fe) Strict SLAs are followed. 
) There is no limit for the number of users 
e Limitations 
fe) Security 
O Organizational autonomy are not possible. 
Hybrid Cloud 


e Combination of public, private and community cloud. 


e Normally a vendor has a private cloud and forms a partnership with public cloud 
provider or vice versa 
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Fig. 6.3.3 Hybrid Cloud 
Characteristics of Hybrid Cloud 
° Scalable: 


- The hybrid cloud has the property of public cloud with a private cloud 
environment and as the public cloud is scalable. 


e Partially Secure: 


- The private cloud is considered as secured and public cloud has high risk of 
security breach. 
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Stringent SLAs: 


- Overall, the SLAs are more stringent than the private cloud and might be as per 
the public cloud service providers. 


Complex Cloud Management: 


- Cloud management is complex as it involves more than one type of deployment 
models and also the number of users is high. 


Advantages 

- highly scalable and gives the power of both private and public clouds. 
- Provides better security than the public cloud. 

The limitation 


- security features are not as good as the private cloud and complex to manage 


Community Cloud 


exclusive use by a specific community of consumers from organizations that have 
shared concerns 


owned, managed, and operated by one or more of the organizations in the community, 
a third party or some combination of them 


may exist on or off premises 


suitable for organizations that cannot afford a private cloud and cannot rely on the 
public cloud either 


Characteristics of Community Cloud 


ro Cloud 
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Fig. 6.3.4 Community Cloud 
Collaborative and Distributive Maintenance: 


- no single company has full control over the whole cloud. 
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(b) 


- Usually distributive and hence better cooperation provides better results. 
Partially Secure: 


- possibility that the data may be leaked from one organization to another, though 
itis safe from the external world. 


Cost Effective: 


- As the complete cloud is being shared by several organizations or community, 
not only the responsibility gets shared; the community cloud becomes cost 
effective too. 


Advantages of Community Clouds are as follows: 

- Establishing a low-cost private cloud. 

- Collaborative work on the cloud. 

- Sharing of responsibilities among the organizations. 

- better security than the public cloud. 

Limitation 

- Autonomy of the organization is lost 

- some of the security features are not as good as the private cloud 
- Not suitable in the cases where there is no collaboration. 

Service Models of Cloud Computing 


Cloud computing is a model that enables the end users to access the shared pool of 
resources such as computer, network, storage, database and application as an on- 
demand service without the need to buy or own it. 


The services are provided and managed by the service provider, reducing the 
management effort from the end user side. 


Software as 
Service 
Platform as 
Service 
Infrastructure as 
Service 


Fig. 6.3.5 Cloud service Models 
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Private Infrastructure Platform as a Software asa 
Cloud as a Service Service Service 
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Fig. 6.3.6 Customer control in Cloud Service Models 
Infrastructure as a Service (laaS) 


e A hardware-level service, provides computing resources such as processing power, 
memory, storage, and networks for cloud users 


e Changes the computing from a physical infrastructure to a virtual infrastructure through 
virtual computing; storage; 


e The IT architects need not maintain the physical servers 


e Examples of laaS Amazon Web Services (AWS), Google Compute Engine, OpenStack 
and Eucalyptus. 


Platform as a Service (PaaS) 


e Deliver a computing platform including operating system, programming language 
execution environment, database, and web server 


e App developers can develop and run their software solutions on a cloud platform 
without the cost and complexity of acquiring hardware /software 


e For example- Google AppEngine, Windows Azure Compute etc 
e Following are provided: 

- Programming Language 

- Application Frameworks: 

- Database: 

- Other Tools: 
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Software as a Service (SaaS) 


e Provides ability to the end users to access an application over the Internet that is 
hosted and managed by the cloud service provider. 


° End users are exempted from managing or controlling an application the development 
platform, and the underlying infrastructure. 


) Delivered as an on-demand service over the Internet, there is no need to install the 
software to the end-user’s devices. 


° Provides users to access large variety of applications over Internet that are hosted on 
service provider's infrastructure 


° E.g. Google Drive / Docs, online photo editing software 


6.3.3 Security Frameworks in Cloud 


A security framework is a coordinated system of tools and behaviours in order to monitor data 
and transactions that are extended to where data utilization occurs, thereby providing end-to- 
end security. The benefits of security frameworks are to protect vital processes and the 
systems that provide those operations. 


The leading frameworks and guidelines to meet regulatory requirements are as follows: 
e Cyber Security Framework (NIST, 2013, 2014; SANS, 2016). 
° Control Objectives for Information and Related Technology (COBIT 2019). 


° Statement on Standards for Attestation Engagements 18 (SSAE 18) reports include 
SOC 1, 


) financial reporting; SOC 2, IT controls; and SOC 3, attestation. 


° Cloud Security Alliance (CSA) provides comprehensive guidance on how to establish a 
secure baseline for cloud operations. CSA maintains the Security, Trust and Assurance 
Registry (STAR) cloud provider registry (CSA, 2015). 


° General Data Protection Regulation (GDPR) lays down rules relating to the protection of 
natural persons with regard to the processing of personal data and rules relating to the 
free 


e movement of personal data. 


e ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms 
and definitions and is applicable to all types of organizations. 


e ISO/IEC 27017:2015: Information technology — Security techniques — Code of 
practice for information security controls based on ISO/IEC 27002 for cloud services. It 
provides guidelines for information security controls applicable to the provision and use 
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of cloud services by providing additional implementation guidance for relevant controls 
specified in ISO/IEC 27002 and additional controls with implementation guidance that 
specifically relate to cloud services. 


6.3.4 Impact on Audit and auditors 


Cloud computing is transforming business IT services, but it also poses significant risks that 
need to be planned for. The following are few of the additional areas of review for auditors: 


Does the organization’s strategy for the cloud link to the overall business strategy? 


Are the audit teams knowledgeable about the differences in cloud computing services 
and do they apply the right approach to deliver effective audit coverage? 


Is there a clear understanding of the difference between the organization and the cloud, 
and where the technology boundary starts and stops? 


What is the IT General Controls on the Cloud enforced by the organization? 
Have there been any independent audits / review of the Cloud environment? 


Are there periodical audits performed by the Cloud Service Provider and how are the 
high-risk issues dealt with? 


Is the existing audit risk assessment process flexible enough to differentiate between 
the ranges of cloud services that might be used? 


How does the audit work complement the wider supplier assessments that are 
considering both third- and fourth-party risks? 


Has sufficient explanation been provided to key internal parties, including directors and 
the audit committee, to highlight the business reasoning or impact of cloud provision? 


How will samples be selected and are there opportunities to employ data analytics, 
either via the service provider or in-house, to enable complex analysis that caters for 
peaks and troughs in provision? 


6.3.5 Risks and Challenges 


Applications processed in the cloud have similar implications for the business as traditional 
outsourcing. These include: 


Loss of business focus 


Solution failing to meet business and/or user requirements; not performing as expected; 
or not integrating with strategic IT plan, information architecture and technology 
direction 


Incorrect solution selected or significant missing requirements 
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Contractual discrepancies and gaps between business expectations and service 
provider capabilities 


Control gaps between processes performed by the service provider and the 
organization 


Compromised system security 

Invalid transactions or transactions processed incorrectly 

Reduced system availability and questionable integrity of information 

Poor software quality, inadequate testing and high number of failures 

Failure to respond to relationship issues with optimal and approved decisions 
Unclear responsibilities and accountabilities 

Inaccurate billings 


Litigation, mediation or termination of the agreement, resulting in added costs and/or 
business disruption and/or total loss of the organization 


Inability to satisfy audit/assurance charter and requirements of regulators or external 
auditors 


Reputation 
Fraud 


In addition to above, Cloud computing has certain specific risks: 


Greater dependency on third parties: 
- Increased vulnerabilities in external interfaces 
- Increased risks in aggregated data centres 


- Immaturity of the service providers with the potential for service provider going 
concern issues 


- Increased reliance on independent assurance processes 
Increased complexity of compliance with laws and regulations: 
- Greater magnitude of privacy risks 

- Transborder flow of personally identifiable information 

- Affecting contractual compliance 


Reliance on the Internet as the primary conduit to the organization’s data introduces: 
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- Security issues with a public environment 
- Availability issues of Internet connectivity 
e Due to the dynamic nature of cloud computing: 
- The location of the processing facility may change according to load balancing 
- The processing facility may be located across international boundaries 
- Operating facilities may be shared with competitors 


- Legal issues (liability, ownership, etc.) relating to differing laws in hosting 
countries may put data at risk 


Identity and Access Management Data 
» User access provisioning » Data segregation and 
>» Deprovisioning isolation 
» Super user access » Information security and data 
Financial privacy requirements 
Financial and Vendor Management “re W ideeconh Regulatory » Malicious insider 
>» Under-estimated start-up costs 
» Exit costs or penalties Operational 
» Management overhead Listy eine » Service reliability and uptime 
> Run-away variable costs SEL AUS of Risks Data » Disaster recovery 
» SLA customization and 
Regulatory enforcement 
» Complexity to ensure » Control over quality 
compliance Technology Operational 
> Lack of industry standards and Technology 
certifications for cloud providers » Evolving technology 
» Records management / records » Cross-vendor compatibility 
retention and integration 
> Lack of visibility into service » Customization limitations 
provider operations and ability > Technology choice and 
to monitor for compliance proprietary lock-in 


Fig. 6.3.7 Risk and Challenges in Cloud Computing 


6.3.6 Governance and Controls 


Governance, generically, may be defined as an agreed-upon set of policies and standards, 
which is: 


° Based on a risk assessment and an-agreed upon framework, 


e Inclusive of audit, measurement, and reporting procedures, as well as enforcement of 
policies and standards. 


In a multi-enterprise or multi-deployment cloud environment, participants agree to promote 
and establish joint expectations for security and service levels. Governance will also define 
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the process for any response to a breach of protocol, and the set of decision makers who are 
responsible for mitigation and communication. 


The following are critical for having a Governance in place: 


(a) 


(b) 


(c) 


(d) 


(f) 


(g) 


(h) 


Governance of Cloud Computing Services: Governance functions are established to 
ensure effective and sustainable management processes that result in transparency of 
business decisions, clear lines of responsibility, information security in alignment with 
regulatory and customer organization standards, and accountability. 


Enterprise Risk Management: Risk management practices are implemented to 
evaluate inherent risk within the cloud computing model, identify appropriate control 
mechanisms and ensure that residual risk is within acceptable levels. 


IT Risk Management: A process to manage IT risk exists and is integrated into the 
organization’s overall ERM framework. IT risk management metrics are available for 
the information security function to manage risk within the risk appetite of the data 
owner. 


Third-party Management: The customer recognizes the outsourced relationship with 
the service provider. The customer understands its responsibilities for controls, and the 
service provider has provided assurances of sustainability of those controls. 


Legal Compliance: The service provider and customer establish bilateral agreements 
and procedures to ensure contractual obligations are satisfied, and these obligations 
address the compliance requirements of both the customer and service provider. Legal 
issues relating to functional, jurisdictional and contractual requirements are addressed 
to protect both parties, and these issues are documented, approved and monitored. The 
use of cloud computing should not invalidate or violate any customer compliance 
requirements. 


Right to Audit: The right to audit is clearly defined and satisfies the assurance 
requirements of the customer's board of directors, audit charter, external auditors and 
any regulators having jurisdiction over the customer. 


Certifications: Service provider security assurance is provided through ISO 27001 
Certification. 


Service Transition Planning: Planning for the migration of data, such as meta data 
and access, is essential to reducing operational and financial risk at the end of the 
contract. The transition of services should be considered at the beginning of contract 
negotiations. 


6.3.7 Professional Opportunities 


Cloud computing provides a host of opportunities. A few of them are detailed below: 
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(a) | Assessment with respect to costs and benefits on migration to cloud versus in-house 
tools 


(b) | Cloud based solution Implementation for clients 
(c) Assessment on the model of cloud to be deployed and the variants for the same. 


(d) Consulting with respect to the migration from traditional facilities to cloud based 
infrastructure. 


(e) Training to the user staff as regards the operating of these facilities; 
(f) IT audit of these facilities 
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6.4 Data Analytics 
6.4.1 Meaning 


Data Analytics is defined as the science of examining raw and unprocessed data with the 
intention of drawing conclusions from the information thus derived. It involves a series of 
processes and techniques designed to take the initial data sanitizing the data, removing any 
irregular or distorting elements and transforming it into a form appropriate for analysis so as to 
facilitate decision-making. 


In simple terms, data analytics refers to the science of examining raw data with the purpose of 
drawing conclusions about that information. 


From an accountant’s perspective Data Analytics is a generic term for Computer Assisted 
Audit Tools and Techniques (CAATTs) and covers the collection of tools, techniques and best 
practices to access and analyse digital data. Data Analytics empowers auditors to use 
technology to audit digital data thereby giving access to 100% of the data and to analyse data 
to infer insights from information. Data Analytics enables auditors to optimise audit time and 
add value. 


There are two types of professionals in the field of Data Analytics. 


1. The Data Scientist whose focus is on use of various statistical techniques to data. He/ 
she is involved in developing intelligent applications, which help users to draw inference from 
data. 


2. The Data Analyst whose focus is on drawing insights from data from a business 
perspective. He/she is a business domain expert who uses simple/easily available features of 
MS Excel, application software, querying tools, utilities or data analytics to access, analyze 
and interrogate data. 


Developing functionality using memory power and speed of technology, to access and analyse 
massive amounts of data is the job of data scientist. However, what query is to be run on what 
data and how to draw inference as applicable to real life situations is the job of CAs/Data 
Analysts. 


Common Terminologies Used in Data Analytics 
° Data Warehouse 


It is electronic storage of large amount of data collected from varied sources to provide 
meaningful business insights. It is separate from Transactional databases. It is also known as 
Decision Support Database or Executive Information System. It has three components: 


- Data sources from operational systems such as ERP, CRM, SCM, Excel 
- Data Staging Area when data is cleaned and ordered 


- Data Access Area where data is warehoused & presented 
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Example — Airlines use it to analyse route profitability, Retail chains use it for tracking 
customer buying patterns, Banking uses it to analyse the performance of its product. 


Data Warehouse is an architecture and Big Data is a technology to handle huge data. If an 
organization wants to know what is going on in its operations or next year planning based on 
current year performance data etc — it is preferable to choose data warehousing as it needs 
reliable data. 


If organization needs to compare with a lot of big data, which contain valuable information and 
help them to take a better decision like how to lead more revenue or more profitability or more 
customers etc, they obviously preferred Big Data approach. 


e DATA MARTS 


These are the subsets of Data Warehouse used by specific business groups like HR, Finance, 
Sales, Inventory, Procurement & Resourcing. They are much smaller than Data Warehouses 
and usually controlled by a specific department. 


e BUSINESS INTELLIGENCE (BI) 


It encompasses a variety of data analysis tools & applications that access the data within Data 
Warehouse and creates reports & dashboards used in decision making 


e DATABASE 


It is generally used to capture and store data from a single source, such as an invoice 
transactional system. Databases aren’t designed to run across very large data sets. 


e DATA LAKE 


It is a central storage for all kinds of structured, semi structured or unstructured raw data 
collected from multiple sources even outside of company’s operational systems. 


Therefore, it is not a good fit for average business analytics but used as a playground by Data 
Scientists & other data experts as it allows more types of data analytics. It can be used for text 
searches, machine learning & real-time analytics. 


e DATA SCIENCE 


It is a combination of three skills: Statistical/Mathematical, Coding & Domain/Business 
knowledge. 


Types of data analytics 


1. Descriptive Analytics: provides insight based on past information. It is used in the 
report generation, providing basic editor function along with the horizontal and vertical 
analysis of financial statement. 


2. Diagnostic Analytics: examines the cause of past result and is used in variance 
analysis and interactive dashboards to examine the causes of past outcome. 
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3. Predictive Analytics: assist in understanding the future and provide foresight by 
identifying pattern in historical data. It can be used to predict an accounts receivable balance 
and collection period for each customer and to develop models with indicators that prevent 
control failures. 


4. Prescriptive analytics: analytics assist in identifying the best option to choose to 
achieve the desired outcome through optimization techniques and machine learning. 
Prescriptive Analytics is used in identify actions to reduce the collection period of accounts 
receivable and to optimize the use of payable discounts. 


5. Cognitive Analytics: Proactive action and recognizing patterns using Big Data and Al. 


Descriptive —, Prescriptive ==> Predictive ==> cognitive 


© What * How to *° What could *° What todo, 
happened? make it happen? why & how? 
© Why did it happen? 
happen? 


Historical data helps 
understand past 
performance & for 
root cause analysis 


Analysis that Forecast future Proactive action and 
suggests a prescribed performance, events recognising patterns 
action and results using big data 


Tools Used Tools Used Tools Used Tools Used 


© Standard © Business © Forecasting e Al 
Reports Intelligence © Predictive © Machine 
© Adhoc Queries © Heuristic Modeling Learning 
© Statistical Methods © Simulation etc. * Neural Networks 
Analysis © Optimization etc. © Deep Learning 
© Graphics etc. © Pattern 
Recognition 


Fig 6.4.1 : Evolution of Analytics and linkage with Al 
Data Analytics Functions 


The below are a few of the Data Analytics Functions along with a few illustrations on where 
these could be applied in the field of audit: 


# Type of Description Where to Apply 
Function 


Column Displays column-wise statistics of all | To Profile and analyse data 
Statistics numeric, date and numeric, date and | at a Macro Level 
character columns 


Identify Identify Duplicates in a series of data | Identify Duplicate POs, 


Duplicates &|or displays all successive numeric | Duplicate Vendor Payments, 
Gaps numbers with defined intervals Duplicate Vendors, Payments 
without descriptions 


3 | Same-Same Identify Duplicates in a series of data | Identify Duplicates based on 
which have certain fields which are | same GSTN, different 
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Different common and certain fields which are | location, name etc 
different 
4 | Pareto Displays items in two separate tabs of | Profiling Payments into High, 
80:20 Medium & Low 
5 | ABC Analysis | Displays items in three separate 
categories as per the same 
percentage given for each category. 


Quadrant / | Displays items in four quadrants as 
Pattern per the specific same percentage 
Analysis given for each category. 


Relative Size | Displays the variation between highest | Deriving vendor ratio of 
Factor (RSF) | value and 2nd highest value (in terms | highest and 2nd highest bill 
of difference and proportion). and check ratios beyond a 

"“X%" 


Max Variance | Displays the variation between highest | Deriving vendor ratio of 
Factor (MVF) | and lowest value (in terms of | highest and least bill and 
difference and proportion). check ratios beyond a "x%" 


numeric data based on Benford Law | as an exception to Benford's 
for first digit beginning with 1 to 9. | Law 


It states that lists of numbers from 
many real-life sources of data are 
distributed 

in a specific and non-uniform way. 
Number 1 appears about 30% of the 
time. Subsequently the number 2 
occurs 

less frequently, number 3, number 4, 
all the way down to 9 which occurs 
less than once in twenty 


| Law Displays variance in patterns of | Identify Payments which fall 


10 | Authentication | Compare & Verify if the amounts | Verify Segregation of Duties, 
processed are within the limits and | instances of exceeding limits 
approval hierarchy. 


11 | Pivot Table /| Summarizes data by — sorting, | Summarise and_ reporting 
averaging, or summing and grouping | payments based on defined 
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Sounds Like / 
Soundex | 
Fuzzy Match 


Aging Analysis 


: 
Matching 


Analytical 
Review 


Back-Dated 
Entries 


Beneish 
Score 


Identify 
Outliers 
Masks 


the raw data 
MIS can summarise by criteria such as 
day, day of the week, month etc. 


Displays instances of transactions 
beyond "x" times the average, mean, 
standard deviation etc 


Identify vendors with similar names, 
which sound same based on the 
phonetics 


Computes difference of selected two 
date columns & stratifies on specified 
intervals for computed date difference. 


Displays trendline as per different 
rules configured using sparklines or 
chart. 


Displays records after joining data 
from up to three worksheets based on 
common/ uncommon column values. 


Displays the difference between 
values of two numeric columns in 
number and in percentage. 


Identify back-dated entries, 
duplicates/gaps based on_ selected 
numeric/alphanumeric field related to 
date field based 


The Beneish model is a statistical 
model that uses financial ratios 
calculated with accounting data of a 
specific company in order to check if it 
is likely that the reported earnings of 
the company have been manipulated 


Displays records that do not match a 
defined mask where 'C' represents 
characters and  'N' _ represents 
numbers. 
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Identify Payments beyond "x" 
times the average, standard 
deviation etc. 


Identify duplicate / fake 


Vendors created 


Identify cases of payments 
made beyond a_ specified 
date 


Identify cases of mismatch 
between PO, RR- and 
Payment 


Analyse the quantitative and 
other related information 


Identify instances of prior 
period payments and other 
related checks 


Identify exceptions to the 
Benish Score and analyse 
further 


Identify transactions which do 
not follow a specific pattern. 


Background Material on Information Systems Audit 3.0 Course (Module 6) 


21 | Sampling Perform Sampling by Outliers, | Sample based on exceptions 
Characters, Numeric, Risk weightage, | to test the controls and 
statistics, quadrants, clusters, interval | perform substantive 

procedures 


22 | Splitting Multiple vouchers raised on same date | Identify policy exceptions 
Vouchers or similar dates having cumulatively 
are higher than the approval limit 


23 | Rounding off Identify high value and round sum 
vouchers 

24 | Weekend Identify entries / payments made on 
Payments weekends 


25 | Vouchers with | Identifying vouchers of different fields 
Blank which are blank 
Reference and 
Narrations 


Steps involved in applying Analytics on Data 


1. Curate / Cleansing the Data — refers to transforming data in standard structure to be 
usable for data analytics as required. This includes specific functions for cleaning data by 
removing specific characters, transforming data, deleting specific data and transposing data. 


2. Profile the Data— refers to the act of analyzing the data contents to get an overall 
perspective data. This helps in validating data at a macro level and assessing whether data is 
correct and complete. 


3. Analyze the Data-— refers to examining the data in detail to discover essential features 
by breaking data into specific components by grouping, identifying and reviewing specific 
features. This includes functions for identifying gaps/duplicates, unique, outliers, format, and 
changes between two sets of data, sampling, filtering, split data and fuzzy match. 


4. Investigate - refers to observing or querying the data in detail. This involves systematic 
examination of data by making a detailed inquiry or search to discover facts and insights to be 
arrive at a conclusion. This includes functions for advanced analysis such as Pareto, ABC, 
Quadrant, Cluster, MIS, Statistical, querying data; consolidate/ collate data, Relative Size 
Factor, Benford Law and relating, comparing and joining files based on specific criteria. 


5. Document - refers to automatically documenting functions performed using data 
analytics software. This includes functions such as rerun, refresh, audit log, indexing, etc. 
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Examples of Data Analytics software and Testing tools 


The value of Data Analytics is in what it brings through its effective implementation. Data 
Analytics can be performed using various types of software such as: 


° MS Excel: Spreadsheet software of Microsoft has various features useful for auditors. 


e General Audit Software: Add-in for MS Excel with specific CAAT functions. Examples 
include eCAAT, Power BI (limited features) 


e General Audit Software: Data Analysis Software with specific CAAT functions. 
Examples include eCAAT, Tableau, Knime, IDEA, ACL etc. 


° Application Software: Standard and Ad-hoc Reporting and Query features available or 
specific functionalities designed for auditors. Example Audit modules in certain 
applications / ERP have a few Data Analytics features. 


e Specialized Audit Software: Audit software designed to work in specific software. 
Advance tools for Analytics 


1. Hadoop - open source cloud computing platform allows storage & processing of 
massive amount of data 


2. R programming — open source programming language software that provides data 
scientists with a variety of features of analyzing data. 


3. Python programming — very powerful, open source and flexible programming language 
that is easy to learn, use and has powerful libraries for data manipulation, management 
and analysis. 


4. Matlab — its simplest syntax is easy to learn and resembles C or C++ 


5. Julia - is a new programming language that can fill the gaps with respect to improving 
visualization and libraries for data analytics. 


6.4.2 Examples in Finance 


1. BFSI - Banks and financial services firms use analytics to differentiate fraudulent 
transactions from legitimate business transactions. By applying analytics and machine 
learning, they can define normal activity based on a customer's history and distinguish it from 
unusual behaviour indicating fraud. The analysis systems suggest immediate actions, such as 
blocking irregular transactions, which stops fraud before it occurs and improves profitability. 


2. Compliance and Regulation - Financial services firms operate under a 
heavy regulatory framework, which requires significant levels of monitoring and reporting and 
requires deal monitoring and documentation of the details of every trade. This data is used for 
trade surveillance that recognizes abnormal trading patterns. 
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6.4.3 Use Cases 


Uber is a popular smartphone application that allows you to book a cab. Uber makes 
extensive use of big data. Uber has to maintain a large database of drivers, customers, and 
several other records. It is therefore, rooted in Big Data and makes use of it to derive insights 
and provide the best services to its users. Uber shares the big data principle with 
crowdsourcing. That is, registered drivers in the area can help anyone who wants to go 
somewhere. 


Uber contains a database of drivers. Therefore, whenever you hail for a cab, Uber matches 
your profile with the most suitable driver. It calculates the time taken through various 
algorithms that also make use of data related to traffic density and weather conditions. 


Uber makes the best use of data science to calculate its surge pricing. When there are less 
drivers available to more riders, the price of the ride goes up and if the demand for Uber rides 
is less, then Uber charges a lower rate. This dynamic pricing is rooted in Big Data and makes 
excellent usage of data science to calculate the fares based on the parameters. 


6.4.4 Impact on Audit 


The larger audit firms and increasingly smaller firms utilize data analytics as part of their audit 
offering to reduce risk and to add value to the client. Bigger firms often have the resources to 
create their own data analytics platforms whereas smaller firms may opt to acquire an off the 
shelf package. There is no one universal audit data analytics tool but there are many forms 
developed in house by firms. These tools are generally developed by specialist staff and use 
visual methods such as graphs to present data to help identify trends and correlations. 


For auditors, the main driver of using data analytics is to improve audit quality. It allows 
auditors to more effectively audit the large amounts of data held and processed in IT systems 
in larger clients. Auditors can extract and manipulate client data and analyses it. By doing so 
they can better understand the client’s information and better identify the risks. Data analytics 
tools have the power to turn all the data into pre-structured forms/presentations that are 
understandable to both auditors and clients and even to generate audit programs tailored to 
Client-specific risks or to provide data directly into computerized audit procedures thus 
allowing the auditor to more efficiently arrive at the result. 


Using Data Analytics for assurance requires understanding of business processes and 
application of relevant techniques to specific areas of control to identify conformances, 
deviations, exceptions and variances in the digital data being audited. For example, when data 
analytics is used to obtain audit evidence in a financial statement audit, it is used for: 


° Discovering and analyzing patterns, deviations and inconsistencies, and 


° Extracting other useful information in the underlying or related data through analysis, 
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Modelling and Visualization for the purpose of planning or performing the audit. 


Financial Statement Assertions can be evaluated by auditors by using data analytics on the 
relevant digital data. For example, financial data can be evaluated for: 


Completeness: Whether all transactions and the resulting information are complete. 


Accuracy: Whether all transactions are processed accurately and as intended and the 
resulting information is accurate. 


Validity: Whether only valid transactions are processed, and the resulting information is 
valid. 


Authorization: Whether only appropriately authorized transactions have been 
processed. 


Segregation of duties: Whether controls regarding appropriate segregation of duties and 
responsibilities as defined by management are working as envisaged. 


Compliance: Whether all applicable compliances are complied with, within the required 
timeframe. 


Cut off: Whether only the transactions for the period which they belong are accounted. 


6.4.5 Risks and Challenges 


The introduction of data analytics for audit firms isn’t without challenges to overcome. At 
present there is no specific regulation or guidance which covers all the uses of data analytics 
within an audit and this results in difficulty establishing quality guidelines. Other issues which 
can arise with the introduction of data analytics as an audit tool include: 


Data privacy and confidentiality -the copying and storage of client data risks breach of 
confidentiality and data protection laws as the audit firm now stores a copy of large 
amounts of detailed client data. This data could be misused by the firms or illegal 
access obtained if the firm’s data security is weak or hacked which may result in serious 
legal and reputational consequences 


Completeness and integrity of the extracted client data may not be guaranteed- 
specialists are often required to perform the extraction and there may be limitations to 
the data extraction where either the firm does not have the appropriate tools or 
understanding of the client data to ensure that all data is collected. This may especially 
be the case where multiple data systems are used by a client. 


Compatibility issues with client systems may render standard tests ineffective if data is 
not available in the expected formats 


Audit staff may not be competent to understand the exact nature of the data and output 
to draw appropriate conclusions, training will need to be provided which can be 
expensive 
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° Insufficient or inappropriate evidence retained on file due to failure to understand or 
document the procedures and inputs fully. For example, a screen shot on file of the 
results of an audit procedure performed by the data analytic tool may not record the 
input conditions and detail of the testing. 


° The data obtained must be held for several years in a form which can be retested. As 
large volumes will be required firms may need to invest in hardware to support such 
storage or outsource data storage which compounds the risk of lost data or privacy 
issues 


e An expectation gap among stakeholders who think that because the auditor is testing 
100% of transactions in a specific area, the client's data must be 100% correct. 
6.4.6 Professional Opportunities 


Organizations in industries across the world are shifting their strategies because of data. 
Google, Netflix or Amazon, for example. With a data driven approach in mind, companies are 
looking to hire people to manage their data and uncover the value and meaning behind the 
information they are collecting. As such, data-driven career opportunities and careers in data 
analytics abound for people with data analysis skills. 


Chartered Accountants having a domain expertise in the field of finance, audit, taxes and 
compliance should now equip themselves with these tools and skill sets. This will enable them 
to audit digital data with ease, save time and provide value added services to clients. Since 
Analytics is utilized in varied fields, there are numerous job titles which are coming into 
picture: 


° Analytics Business Consultant 

° Analytics Architect / Engineer 

° Business Intelligence and Analytics Consultant 

° Metrics and Analytics Specialist 

° Preparation of MIS and Dashboards including Visualization Solutions 

° Monitor tracking of Key Performance Indicators (KPIs) and Key Result Areas (KRAs). 


Chartered Accountants should be aware that Data Analytics can be used, not just in 
Assurance or for assisting in Compliance, it could open a huge world of opportunities beyond 
that. 
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6.5 Internet of Things 
6.5.1 Meaning 


The internet of things, or loT, is a system of interrelated computing devices, mechanical and 
digital machines, objects, animals or people that are provided with unique identifiers (UIDs) 
and the ability to transfer data over a network without requiring human-to-human or human-to- 
computer interaction. 


How it works? 


An loT ecosystem consists of web-enabled smart devices that use embedded processors, 
sensors and communication hardware to collect, send and act on data they acquire from their 
environments. loT devices, share the data collected through sensors by connecting to an loT 
gateway or other edge device. From these devices the data is either sent to the cloud to be 
analysed or analysed locally. Sometimes, these devices communicate with other related 
devices and act on the information they get from one another. The devices do most of the 
work without human intervention, although people can interact with the devices for instance, to 
set them up, give them instructions or access the data. 


The connectivity, networking and communication protocols used with these web-enabled 
devices largely depend on the specific loT applications deployed. 


Example of an loT system 


Collate and , Analyze data, 


Collect data transfer data take action 


User interface 
(¢.g., smartphone, 
human-machine) 


loT device 
(e.g. sensor) 


Analytics of 
business 
loT device : oT hub or F : application 
(e.g., antenna) loT gateway (¢.g., customer 
relationship 
management, ERP) 


loT device (e.9., : : ; : Back-end 
microcontroller) systems 


Fig. 6.5.1 loT Systems 
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Benefits of loT 

The internet of things offers a number of benefits to organizations, enabling them to: 
° Monitor their overall business processes; 

° Improve the customer experience; 

° Save time and money; 

e Enhance employee productivity; 

° Integrate and adapt business models; 

e Make better business decisions; and 

° Generate more revenue. 


loT encourages companies to rethink the ways they approach their businesses, industries and 
markets and gives them the tools to improve their business strategies. 


Advantages of loT 


1. Improved business insight and customer experience — companies are gaining much 
greater insights into their business operations and how their customers use their products or 
services. When a company understands how its customers use its products, they can better 
fulfill their needs and improve the customer experience. 


Example: In a shopping environment, loT is all about reducing friction in the buying 
experience and helping customers to interact with products, often in a virtual or augmented 
reality environment, pre-purchase. And as with many customer-facing types of loT 
implementation, there are other benefits too: improved stock/inventory control and supply 
chain management, for example, as reams of data is gathered about popular products and up- 
or cross-selling opportunities. 


2. — Efficiency and productivity gains - Employees at Ford’s Valencia Engine Assembly 
Plant in Spain are using a special suit equipped with body-tracking technology. 


The technology is similar to the motion-tracking systems that record how athletes sprint or 
turn, or actors move and speak. Ford has been using the same type of technology to design 
less physically stressful workstations to enhance its manufacturing processes. By accurately 
tracking its workers’ movements, Ford is enabling data-driven changes to its vehicle 
production processes, making them safer and more efficient. 


3. Asset tracking and waste reduction - Closely linked to efficiency and productivity is 
the drive to reduce waste, to which loT tracking is integral. The more loT components in a 
business operation, the more it stands to benefit from loT implementation. 
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4. Cost and downtime reductions - One of the benefits of these new insights is often a 
reduction in operational expenditure and downtime. For example, the rapid emergence of 
digital twin technology - digital models of physical assets built from real-time data, either in 
pure data form or as exportable 3D representations - is a key competitive differentiator in 
industrial loT applications. 


5. | Newer business models - loT revolve around efficiency, productivity, and process 
monitoring and companies recognize the scope for it to provide them with information about 
their customers and how they use their products. The loT also allows organizations to move 
away from conventional business models to new revenue streams. The data acquired often 
holds value in itself, but, more significantly, customers can be offered subscription-based 
services that draw on the connected nature of the company’s products, often offsetting the 
initial cost of entry. 


6.5.2 Examples in Finance 
e Inventory Tracking and Management 


loT inventions can help you in tracking and managing inventory by giving you automatically 
controlled options. loT software and devices can be installed in your storage units and 
warehouses, which can help in managing inventory changes while your personnel can invest 
their time in more cognitively demanding tasks. 


e Fraud prevention 


Fraud prevention is a primary concern for financial institutions, which constantly invest in and 
seek new ways of curbing misuse of their offerings. Major financial corporations have already 
successfully implemented Al based anti-fraud systems. With fraud prevention having such a 
high priority, loT will be a definite game changer in this area. 


Misuse of debit/credit cards can be prevented by having loT enabled security systems at 
points of use, such as ATMs, which have more personal and secure methods of authorization. 


e Optimized capacity management 


Banks constantly aim to expand their network of offices and ATMs, while managing the 
existing units with maximum efficiency. Using loT enabled monitoring to track the number of 
customer units per day, the average queue time can be measured to determine the optimal 
number of personnel and counters at each branch. Decisions regarding new branches can 
also be made easier by using the distribution data of customers with respect to location. The 
same can be done to optimize the number and location of cash dispensing machines based on 
usage. 
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6.5.3 Use Cases 


1. DeTect Technologies an loT start-up, focuses on asset integrity management, 
especially in the conventional oil and gas industry, and has built a unique, patented 
technology for pipeline condition monitoring in real-time using a long-range ultrasonic sensor 
for temperatures of up to 350 degrees Celsius. The solution helps reduce productivity losses 
due to a breach. The company also offers Noctuan intelligent solution for structural health 
monitoring on hard-to-reach assets such as stacks, columns, pipe racks, vessels, tanks, 
boilers, chimneys etc, and has several Fortune 500 companies as its clients. 


2.  TagBox uses loT automation and analytics as the foundation of its cold chain supply 
business. It helps clients create reliable and sustainable cold chains through comprehensive 
solutions that use loT, advanced analytics, as well as automation and control, which gives 
real-time visibility of the entire cold chain (cold storage, cold transit and retail refrigeration). 
This helps reduce product spoilage, helps meet compliance requirements, cuts energy costs, 
prevents theft and pilferage, decreases cargo insurance premiums, and optimizes 
transportation costs. 


Source: yourstory.com 


6.5.4 loT and Smart Cities 


Ever since the concept of a smart city was introduced, loT (Internet of Things) has been 
considered the key infrastructure in a smart city. While the perspective of “smart city” differs 
from region to region and country to country, it is generally understood as using information 
and communication technologies (ICT) to solve the various urbanisation challenges starting 
from lighting, parking, traffic management, housing and urban development, waste 
management, sewage treatment etc. It can be described in a wide sense as the convergence 
of ICT, the ecological environment, energy technologies, and support facilities within urban 
and residential environments. 
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Fig. 6.5.2 Few of the applications of loT in Smart Cities. Source: Internet 


Few Benefits of loT in creating Smart Cities 


Better Management of traffic and reduced congestion on roads 
Improved crime detection and surveillance 

Reduction in pollution 

Savings in Power and electricity 

Improvised safety for citizens 

Increased efficiency in parking 


Better waste and sewage management 


6.5.5 Impact on Audit 


With loT assisted accounting, CAs would be able to automatically receive all associated 
data through a digital system, which could help CAs gain access to real-time 
transactional data, along with many controls and exposures in the existing operations, 
increasing the need for continuous auditing processes. This will also allow a wider and 
more comprehensible risk evaluation, which will help to quicken issue assessment and 
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remediation. It will also offer real-time management which will enable businesses and 
CAs alike to respond to issues immediately. 


e loT makes it easier for organizations to keep tabs on their resources, in relation to 
Inventory and Assets, and that has direct implications for the accountants who are 
responsible for overseeing the budget and its relation to assets. 


e loT also helps in reducing time lapse between an event and its recording for more 
timely decision making and facilitating assessment of process-driven activities. 


) With loT in place, there would be more data, more action, more observation, and 
reduction of immediate direct human impact. 


° Technologies such as Drone can help gathering evidences to support assertions and 
perform audit much faster and in fact in real time. This could be used for physical 
verification of inventory, assessing the mines and quarries etc. 


e loT based automation and intelligent systems can ensure that the presence of 
personnel is detected and their physical appearance checked for ensuring the safety 
measures have been taken care by the worker, every check conducted leaves an audit 
trail and if there are exceptions found and alarms raised with evidences. Also, if the 
situation got corrected the issue or alarm raised could get closed. No longer there may 
be a need for any such evidences of compliance as the compliance is ensured 
automatically. 


° loT cloud-based workplace and process enhancements will lead to ground-breaking 
transformations. The workplace is now touted to be commonplace for humans as well 
as robots to work together. The raw materials needed get demanded or pulled from the 
repositories or warehouses based on the jobs at hand and planned for the day. The raw 
materials automatically routed to the place of work. Every step moved ahead in the 
workflow gets detected or communicated to get additional inputs and take the outputs to 
the next step in the process. This kind of a self-managed factory setup will have the all 
the statistics and logs around the process already created and available. 


e Quality will hardly need any sample checks as all the items will go through a 
compulsory test. Every item would have its own set of quality requirements embedded 
and would reach out to instruments which can verify a specific parameter; thus, each 
end product would have its size verified by a machine, based on the specifications 
embedded. 


° The documentation is one thing that may be solved on its own since the workflow or 
process maps which would be used for automation themselves are good enough 
documentation. Also, the need for documentation now gets reduced from instructional 
purposes since it is the loT data, which drives the processes. 
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6.5.6 Risks and Challenges 


Software updates and patches — the time for a patch to be released may be longer 
than the typical cycle for non-loT devices (if a patch is released at all). Enterprises as 
well as individual consumers can review an loT vendor's website to determine 
frequency of patches and compare the schedule against vulnerability dates using a 
Common Vulnerabilities and Exposures database. This comparison can provide a level 
of assurance that third-party software developers have adequate policies regarding 
vulnerability assessment and patching. 


Hardware lifespan - loT devices have their own life cycle, often with built-in 
obsolescence. Components like non-replaceable batteries in loT devices require life 
cycle planning and asset-management processes specific to loT. 


Security and privacy issues — loT promises to provide unprecedented and ubiquitous 
access to the devices that make up everything from assembly lines, health and 
wellness devices, and transportation systems to weather sensors. Unfettered access to 
that much data poses major security and privacy challenges, including: 


Insufficient authentication/authorization—a huge number of users and devices rely on 
weak and simple passwords and authorizations. Many devices accept passwords such 
as “1234.” 


Lack of transport level encryption—most devices fail to encrypt data that are being 
transferred, even when the devices are using the Internet. 


Insecure web/mobile interface—most loT-based solutions have a web/mobile interface 
for device management or for consumption of aggregated data. This web interface is 
found to be prone to the Open Web Application Security Project (OWASP) Top 10 
vulnerabilities, such as poor session management, weak credentials and cross-site 
scripting vulnerabilities. 


Default credentials—most devices and sensors are configured to use the default 
username/passwords. 


Lack of secure code practices—services and business logic would be developed 
without adhering to secure coding practices. 


Privacy concerns—devices used in the health care domain collect at least one piece of 
personal information; the majority of devices collect details such as username and date 
of birth. Privacy risk arises as the objects within the loT collect and aggregate 
fragments of data that relate to their service. For example, the regular purchase of 
different food types may divulge the religion or health information of the buyer. This is 
one of the aspects of privacy challenges with respect to loT. 
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Challenges 


There are many challenges facing the implementation of loT. The scale of loT application 
services is large, covers different domains and involves multiple ownership entities. There is a 
need for a trust framework to enable users of the system to have confidence that the 
information and services are being exchanged in a secure environment. 


e Insecure web interface 
e Insufficient authentication/authorization 
e Insecure network services 


e Lack of transport encryption 


e Privacy concerns 


) Insecure cloud interface 

e Insecure mobile interface 

e Insufficient security configurability 
) Insecure software/firmware 


e Poor physical security 


6.5.7 Governance and Controls 


loT solutions are complex. The integration of connected devices and IT services poses major 
challenges in networking, communication, data volume, real-time data analysis, and security. 
loT solutions involve many different technologies and require complex development cycles, 
including significant testing and ongoing monitoring. 


To overcome these challenges, IT organizations must: 

e Develop a comprehensive technical strategy to address the complexity 
e Develop a reference architecture for their loT solution 

e Develop required skills to design, develop, and deploy the solution 

e Define your loT governance processes and policies 


loT solution governance can be viewed as the application of business governance, IT 
governance, and enterprise architecture (EA) governance. In effect, loT governance is an 
extension to IT governance, where loT governance is specifically focused on the lifecycle of 
loT devices, data managed by the loT solution, and loT applications in an organization’s IT 
landscape. loT governance defines the changes to IT governance to ensure the concepts and 
principles for its distributed architecture are managed appropriately and are able to deliver on 
the stated business goals. 
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6.5.8 Professional Opportunities 


loT will bring CAs new opportunities for client service in the areas of business process design 
and data analysis. Clients will need CAs to help set up accounting and recording systems, 
such as dashboards that aggregate data received from the loT. 


CAs may also be hired to provide opinions on the security of the loT. Consumers and industry 
want assurance that information and systems will be private. When the loT takes off, CAs will 
be asked to give their professional opinions on the systems that third parties rely on, unlike 
today where we are only asked for assurance in special circumstances 
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6.6 Robotic Process Automation 
6.6.1 Meaning 


Robotic process automation is the term used for software tool that automates human activities 
that are manual, rule-based and repetitive. They work by replicating the actions of a human 
interacting with software applications to perform tasks such as data entry, process standard 
transactions. 


It is a computer coded software, programs that perform repeated tasks based on rules 
defined, and can work across functions and applications. 


Example: A process of reviewing the approved time sheet and raising the invoice in the ERP 
to the appropriate client and sending an email to the client and following up as a part of 
receivable management could be automated as the process is standardised and reasonably 
repetitive. 


i=) Computer-coded software Walking, talking auto-bots } 
Programs that replace humans Physically existing 
performing repetitive rules-based tasks machines processing paper 


Cross-functional and Artificial intelligence or voice 
cross-application macros recognition and reply software 


Fig. 6.6.1 Robotic Process Automation 
A few of the key objective of implementing RPA are as follows: 
e Improve accuracy 
° Reduction of monotonous work 
e Higher efficiency 
e Manage controls 
e Skill upgradation of personnel 
° Cost saving 


e Improve customer experience 
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6.6.2 Examples in Finance 
These are few instances / examples in Finance 


1. Banks have “appointed” RPA software robots to take up the complete responsibility of 
the initiating a credit card application, to gather all the required documents from the 
individuals, make the necessary credit checks, background checks on itself, decision making 
whether or not an individual is eligible for a credit card based on the details that are provided 
in the step earlier, issue a new card if they are eligible and on successful delivery of the card 
the case can be closed. The whole process is so systematic that this can be easily handed to 
the RPA software robots comfortably. 


2. E-Commerce websites and Logistics companies can reap loads of benefits from the 
RPA software robots as these kinds of activities can be fully automated without the 
intervention of any human being at all. Since these details can be fetched from the provider 
databases and the shipments can be tracked for delivery over GPS, this can comfortably be 
automated. 


3. RPA is being used to manage the KYC authentication and to update the regular 
processing of the customers / vendors / employee’s documentation. This will ensure faster 
processing of the transactions, quick and error-free results and at the same time improve 
efficiency of the process. 


6.6.3 Use Cases 


ICICI Bank, one of India’s major financial institutions, started its automation journey in 2016. It 
was one of the first private lenders to adopt software robotics on such a large scale. Using 
robotic process automation (RPA), the bank’s operations department deployed 200 robotics 
software programs. The development helped the ICICI Bank to process around 10 lakh 
transactions per day. Today, the RPA is helping to process more than 2 million transactions 
daily. 

6.6.4 Impact on Audit 


While there is a need to understand the impact of any technology from an audit perspective, 
the following are the areas where auditors should concentrate: 


e Need to understand technology 

° Opportunity to influence control design 

° Potential to increase audit efficiency 

° Free up capacity to focus on higher priorities 
e Enhance ability to add valuable insight 


e Need to develop new testing approaches 
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° Consider for changes to internal audit staffing model 


6.6.5 Risks and Challenges 


Robotic Process Automation like all technology and innovation initiatives come with disruption 
and risks associated. 


1. __ RPA strategy risks: RPA is a powerful technology that can drive innovation, improve 
customer service and maximize competitiveness for its organizational adopters, but often 
businesses fail to deliver its full value by setting up the wrong goals and expectations, or 
misusing it for one-off, isolated areas. These can lead to under-resourcing the RPA initiative, 
inhibiting it from reaching its full potential. 


2. Tool selection risks: Just like cloud washing, RPA-washing can be a real risk due to 
the market hype. Many vendors claim automation capabilities that lack basics. For example, 
some vendors just offer screen-scraping which can lead to high maintenance for error 
correction or changes if it lacks full screen automation features. Due to its nuance, companies 
can end up often times choosing the wrong tool/s for their needs. 


3. Launchi/project risks: To mitigate risks of a project launch fail, organizations would 
need to prevent technical failures and financial failures. For example, companies that choose 
to adopt RPA in departments with the most headcount in order to generate more savings fail 
due to large load of changing processes and exception handling. 


4. Operational/execution risks: Operational risks occur when robots get deployed into 
operations without a proper operating model. If enterprises don't define roles, and rush into 
training, responsibilities can be blurred when bots go into production, humans can find 
themselves confused on their roles. 


RPA Challenges 


1. Shortage of skilled resources — RPA is booming with the increase in the requirements 
of today’s market, but, however, there is a shortage of skilled resources in the RPA market. 
Procuring resources while starting a new project and back filling a key resource in case of 
attrition poses a great threat to the success of any project. Also, RPA professionals with 
extensive experience expect lucrative packages, which might not be financially viable for 
some of the companies. 


2. Lack of proper team structure - Dedicated teams with clearly defined roles for each 
and every individual to ensure the hand-offs happen on time with the expected standards. 
Lack of adequate knowledge about the processes to be followed and sharing of resources 
between multiple projects poses a risk in achieving the set milestones for RPA projects. 


3. Unable to automate end-to-end cases - In some of the processes, not all the steps 
can be automated directly by using rule-based RPA tools. Instead it would require integration 
with Machine learning algorithms, and OCR engines. However, these additional technology 
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components will cost extra money and skill set which might not produce the expected results 
to the business leaders. 


4.  Vaguely defined business continuity plans - The expectation about RPA projects is 
set in such a way that once the bots are deployed in production, there should be minimum to 
no maintenance required to ensure smooth delivery. However, the reality is that it does 
require maintenance in terms of identification of new unhandled scenarios during bot 
execution. Issues are faced in production environments, defining bot execution schedules 
based on requirements from multiple business units operating from different time zones and 
mitigation plans during major failures. 


6.6.6 Governance and Controls 


A governance structure that defines roles and responsibilities for automation activities will help 
deliver successful RPA initiatives. 


Key elements include: 


1. Ownership — involve legal, risk, IT and other teams that are involved in the process 
due to automated. It includes process-specific subject matter expert (SMEs) for insight in the 
process nuances. 


2. Deployment framework - calibrate production and development environments to 
ensure smooth RPA deployment. Ensure IT is aware of RPA, enabled processes. Ensure 
change management process is in place. 


3. Operational risk! data security — create a cross-functional team to clear temporary 
backlogs in case of bot failure and maintain people in critical processes for error free delivery. 


4. Enterprise management - communicate the benefits: RPA helps to eliminate 
repetitive, non-value- adding tasks so employees can make greater impact in their roles. 
Involve HR to support employee's up-skilling, which increases employee morale and improve 
productivity. Employees should be prepared to work along with the software robots. 


5. RPA Vision/roadmap — create a center of excellence (COE) early in the journey to 
accelerate adoption of RPA across the enterprise. Set deadlines for achieving intelligent 
automation to leverage the full value of automation. 


6.6.7 Professional Opportunities 


Many exciting new jobs will be created by RPA as automation will require a new type of skill 
set. The creation of new types of job opportunities will outweigh the displaced jobs. This 
research validates the confidence in the creation of new types of industries requiring new 
kinds of functions and skills. 


The McKinsey Global Institute estimated in its December 2017 reports that by 2030, 
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automation will drive between 75 and 375 million people to reskill themselves and switch 
occupations. 


Robotic Process Automation (RPA) is not replacing accountants but evolving their role and 
augmenting their effectiveness through automation. It is a progressive, positive, and 
necessary shift that is creating the digital workspace for accounting and finance professionals 
to focus on the greatest value they can provide to their organisation. 


Source / References 


° https://www.isaca.org/pages/default.aspx 
e https://www.aicpa.org/ 

° https://www.cimaglobal.com/ 

° https://www.accaglobal.com/in/en.html 


° httos://www.nist.gov/ 
° Various Blogs on the Internet 


Recommended Reading 
° ICAI Publication on "Guide to Cloud Computing for Accountants" 
° ICAI "E- learning on Robotics Process Automation" 


e ICAI Concept Paper on "Blockchain Technology - Adoption Trends and Implications for 
Accountancy Profession" 


° ICAI Concept Paper on "Embracing Robotic Process Automation - Opportunities and 
Challenges for Accountancy Profession" 


° Webinars organized by Digital Accounting and Assurance Board of ICAI 
e ICAI Journals 

e ISACA Publications / Tech Briefs on Emerging Technologies 

° ISACA Audit Programs on Emerging Technologies 


MCQs 
1. | What does P2P technology stand for? 
a. Password to Password 


b. Peer to Peer 
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C: Product to Product 

d. Private Key to Public Key 

What is Blockchain? 

a.  Adistributed ledger on a peer to peer network 

b. A type of cryptocurrency 

C. An exchange 

d. Acentralized ledger 

Which of the following is not a step involved in RPA? 
a. Preparation of project 

b. Development of business cases 

C: Implementation of RPA 

d. Data Cleaning 

Which of the following statements about RPA is false? 
a. It is walking talking robot 

b. It is a computer coded software 

C. These are programs that replace human repetitive tasks 
d. These perform in cross functional platforms 


Which of the following is a system of inter-connected and inter-related computing 
devices which have ability to transfer the data over network: 


a. Blockchain 

b. Internet of Things 

C. Robotic Process Automation 

d. Artificial Intelligence 

Which one is simplest form of analytics? 
a Predictive 

b. Descriptive 

c. _ All of the mentioned 


d. Prescriptive 
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10. 


11. 


The method by which companies analyze customer data or other types of 
information in an effort to identify patterns and discover relationships between 
different data elements is often referred to as: 


a. 
b. 
c 
d. 


Customer data management 
Data mining 
Data digging 


None of the above 


Which of the following is a central storage for all kinds of structured, semi 
structured or unstructured raw data collected from multiple sources even outside 
of company’s operational systems? 


a. 
b. 
C. 
d. 


Data Warehouse 
Data Lake 
Database 


Data marts 


Which of the following tools best describe Predictive Analytics? 


a. 
b. 
C. 
d. 


Simulation 
Statistical Analysis 
Machine Learning 


Graphical reports 


Which of the following is not a cloud deployment model? 


b. 
C. 
d. 


Private 
Public 
laaS 
Hybrid 


Which of the following is not a stream of Al? 


a 
b. 


C. 


Machine Learning 
Big Data 
Speech Recognition 


Natural language processing (NLP) 
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12. Which of the following is not an example for Al Platform? 
a Watson 
b. Tensor Flow 
c. AWSAl 
d. Microsoft Power Bl 

Answers 

1. Option b —- Peer to Peer 
P2P stands for Peer to Peer Technology where every participant acts as an individual 
peer in the network 

2. Option a- A distributed ledger on a peer to peer network 
Blockchain is a distributed ledger on a peer to peer network 

3. Option d - Data Cleaning 
Data Cleaning is not an activity within RPA. Preparation of project, Development of 
business cases and Implementation of RPA are steps within the RPA project. 

4. Option a - It is walking talking robot 
RPA is not a walking talking robot. It is instead a computer coded software, that replace 
human repetitive tasks which can perform in cross functional platforms 

5. Option b - Internet of things 
The internet of things, or loT, is a system of interrelated computing devices, mechanical 
and digital machines, objects, animals or people that are provided with unique 
identifiers (UIDs) and the ability to transfer data over a network without requiring 
human-to-human or human-to-computer interaction. 

6. Option b - Descriptive Analytics 
Descriptive analytics is a preliminary stage of data processing that creates a summary 
of historical data to yield useful information and possibly prepare the data for further 
analysis 

7. Option b - Data Mining 
Data mining refers to a method where companies analyze customer data or other types 
of information in an effort to identify patterns and discover relationships between 
different data elements. 

8. Option b - Data Lake 
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Data Lake is a central storage for all kinds of structured, semi structured or 
unstructured raw data collected from multiple sources even outside of company’s 
operational systems. 


Option a - Simulation 


Predictive Analytics analyses the past behaviour and makes predictions about the 
future to identify the new trends. Simulation is one such technique used in predictive 
analytics. Graphical reports and statistical analysis are more commonly associated with 
historical / descriptive analytics. Machine Leaning is used in Cognitive analytics. 


Option c - laaS 


Private, Public and Hybrid are cloud deployment models. laaS is a Cloud Service Model 
as per NIST categorisation. 


Option b - Big Data 


Big Data refers to huge and voluminous data characterised by volume, variety and 
velocity. Machine Leaning, Speech recognition and NLP are streams in Al. 


Option d - Microsoft Power BI 


Microsoft Power BI is a predominantly a Data Analytics Platform. Watson, Tensor Flow 
and AWS Al are Al Platforms. 
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